CVE-2026-10086
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
Description
GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to execute arbitrary client-side code in the context of another user's session, due to improper sanitization of user-supplied input.
In plain language
AI Worth attentionCVE-2026-10086 is a web security bug in GitLab where an authenticated developer could trick another user’s browser into running attacker-written code; if you use GitLab and allow developers to interact with potentially unsafe content, you should act now and upgrade.
CVE-2026-10086 is a cross-site scripting (CWE-79) flaw in GitLab where improperly neutralized user input can let an authenticated developer with developer-role permissions execute arbitrary client-side code in another user’s session context (triggered through crafted web content shown to victims).
What to do now
- Check whether your GitLab instance is on a vulnerable version (any GitLab version before 18.11.6, 19.0.3, or 19.1.1 is affected per the fixed-version guidance).
- Upgrade GitLab to one of the fixed versions: 18.11.6 or 19.0.3 or 19.1.1 (or newer than the applicable one for your version line).
- After upgrading, verify the upgrade completed successfully and that GitLab pages you use for developer workflows render normally.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:LPrivileges RequiredUI:RUser InteractionS:CScopeC:HConfidentialityI:HIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
- ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and Moreen·The Hacker News·
- GitLab Patches Code Execution, Information Disclosure Vulnerabilitiesen-us·SecurityWeek· Summary only·
- GitLab Security Updates Fix 13 Flawsen-us·Daily CyberSecurity (securityonline.info)· Summary only·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-10086 and every CVE in our database. Create a free account — no credit card required.
Create Free Account